New csf v7.66


  • Fixed UI status form tags
  • Added new option LF_SPI. This option configures csf iptables as a Stateful Packet Inspection (SPI) firewall – the default. If the server has a broken stateful connection tracking kernel then this setting can be set to 0 to configure csf iptables to be a Static firewall, though some funtionality and security will be inevitably lost
  • Added common systemd logs to csf.logignore for new installs
  • Modify LF_IPSET in csf to print failure messages instead of aborting on error
  • On servers using systemd if firewalld found to be active, csf and lfd will not start until is is stopped and disabled as csf cannot be used with firewalld
  • Added option SYSTEMCTL to csf.conf as the location of the systemctl binary for use with servers using systemd

New cxs v5.22


  • Ensure timestamp and cxs command are prepended to –report [file]
  • Fix cxs Watch Timestamp in report emails
  • When using –options W ensure that resource is a directory and not a symlink or socket

New cxs v5.21


  • Fixed issue in cxs Watch when –www is used and a new account is created through restore on cPanel servers
  • cxs Watch now tracks the parent directories for all users when –allusers is used and will add them back if they disappear and are recreated Firewall Bug

It has come to our attention from multiple clients that there is a bug in the server providers firewall that prevents access to some of our servers. This causes accessibility issues when trying to install or upgrade scripts, e.g. csf.

If you have a server at with this issue and use their external firewall offering, then you need to either turn off their firewall for the server or, if possible, whitelist the IP addresses for: (currently – for all our scripts (currently – for cxs and msfe

Lastly, we would suggest you report the issue to and hopefully they will fix their firewall product despite their protestations that they are not blocking anything.